Optus data breach: what to do if you’re impacted

Optus data breach phone security
Photo by Franck on Unsplash

As details about the recent Optus data breach continue to emerge, you’re likely wondering how to protect your data if you’re among the affected customers.

Millions of Australians’ contact details were exposed as part of the breach, in one of the country’s biggest cyber security threats. For some, this also included proof of identity documents like driving licences and passports, raising fears over identity theft and similar scams.

If you, like many Australians, are a victim of the recent data leak, here are some practical steps to help stay secure and minimise risk. Be aware that because the situation is developing, some information may change.

Don’t click on any links in emails or SMS

If your email address and phone number get in the hands of scammers, it’s important to be aware of increased phishing attempts. This is where someone sends messages claiming to be from a reputable organisation, only to redirect you to a site where they can capture more of your sensitive information. Scammers have recently targeted LinkedIn users via this method. Sophisticated phishing attempts look almost identical to emails and websites from genuine companies, so it’s best to be safe and avoid clicking on any links.

For example, if you believe your bank or telco recommends you change a password, don’t click on any links sent to you. Even if it’s the real deal, it’s not worth the risk. Instead of clicking on a link, open a web browser and type the correct URL manually. This way, you know you’re visiting a legitimate website and can access your information securely.

In fact, in the most recent advice from Optus, the company explicitly states it will not include links in its direct communications. So, if something arrives in your inbox with a link, delete it.

Change your passwords and use a password manager for extra security

Although Optus claims no passwords have been compromised, it’s always a good idea to change your password when data leaks. Create a difficult-to-guess password with a mix of lowercase and uppercase letters, numbers and symbols. Also, ensure you aren’t using the same password for multiple accounts (banking, social media, etc.), otherwise, it places everything at risk when a password gets out. If you do use the same password in multiple places, change all of them to be unique.

An easy way to manage this is to use a dedicated password program to generate and store secure passwords. There are multiple options available, many of which are relatively affordable, ranging from free for individual use, to a few dollars a month for families. 1Password and LastPass are popular choices, as they include browser extensions and mobile apps to access passwords wherever you need them. It’s generally not recommended to use a browser’s (like Chrome or Firefox) in-built password storage tools, as this is not as secure as dedicated password software.

Another option for Apple users is to enable iCloud Keychain. It’s a free password manager that creates and stores passwords across Apple devices, which makes it helpful if you use an iPhone and a Mac.

Also, enable two-factor authentication whenever you can. When enabled, it means in addition to a password, you need to input a limited-time code generated by a separate app or another form of verification.

Update your proof of identity documents

Numbers on driver’s licences, passports and Medicare cards used to provide 100 points of identification were included in the Optus data breach. Although Services Australia reassured Medicare card holders no one can access your account with just your number, you can request a new card with a different last digit. The rest of your Medicare number remains the same.

For anyone who provides proof their licence details were compromised, several jurisdictions – including Victoria, Queensland, South Australia, and New South Wales – are providing free replacements. How to do this differs between states, however. Currently, NSW residents need to pay the $29 replacement fee up-front and then apply for Optus to reimburse the cost. Given that details are rapidly changing, visit the website of your state or territory’s government services to get the most up-to-date information.

Replacing passports is a bit more complex. As a result of COVID-19, attaining a new or replacement passport can take multiple months. There are calls for the Federal Government to create a fast and inexpensive passport solution for those impacted by the Optus breach.

If you’re worried about any banking details, contact your financial institution to re-issue any cards and receive advice on further steps you can take. Many banking apps let you “lock” your cards in the event they are lost or stolen. 

Additionally, Optus is offering impacted customers a free 12-month subscription to Equifax Protect, a service that helps monitor your credit history and mitigate against identity theft. For further support, IDCARE, Australia and New Zealand’s national identity and cyber support service, is also assisting those affected.

Educate yourself on the risks of a data breach

Above all else, research what happens with stolen data and how it occurs in the first place. Hackers looking to make money may look to sell personal information via the dark web, which may lead to identity theft and people spending your money.

Arming yourself with knowledge means you’ll know what to do in the event of a data breach and be able to identify the scams that follow.

Additional resources you can turn to include Scamwatch and the Australian Cyber Security Centre for updates on the latest threats.